TRINITY NEWS
Tuesday 9th December 2014
Photo: Kevin O’Rourke
Major breach of college network went undetected for months
Photo: Samuel Verbi
The School of Computer Science and Statistics has confirmed that the eight-month-long breach was the action of an individual student. Seán Healy Staff Writer The School of Computer Science and Statistics (SCSS) is investigating a breach of its network after a studentcreated webpage facilitated access to Webcat, a restricted site used by computer science students to submit coursework online, Trinity News has learned. The webpage, hosted on a server run by to the Dublin University Internet Society (Netsoc), had allowed students to circumvent a departmental ban on access to the site outside of Trinity for eight months until it was discovered by SCSS administration on November 30th. It was visited over 20,000 times by 487 individual users, according to site statistics attained by this paper. The breach of Webcat, a software package used by students of its CS2010 module, Algorithms and Data Structures I, was first reported by Dr. Vasileios Koutavas, assistant professor at the School of Computer Science. “I rely on [Webcat] heavily to mark and manage multiple assignments in CS2010, offered to about 135 students each year,” he told Trinity News in a statement. “Thus the security incident […] only affected one module but it exposed very critical infrastructure for the operation of this module, as
well as student information and coursework marks.” In contrast to TCD Blackboard, from which computer science students receive no immediate feedback, Webcat provides students with an automated mark, generated comments and highlighted areas of problematic code. Furthermore, unlike most of College’s other websites, such as my.tcd.ie, which are available on the public web, Webcat runs solely as software on SCSS servers, operating from within the college network. Although Webcat is intended to be used only on campus, other services on the public web that can access it provided a loophole that could be manipulated to undermine the limited access. This meant that anyone with an internet connection and access to the webpage could have accessed the Webcat login page. The process is often metaphorically compared to piggybacking, allowing anyone to climb onto the back of services running from within the college network and be carried across the bridge to the restricted site. Exposure In opening the service to the outer network, zachd.netsoc. ie exposed Webcat to potentially malicious visitors. Within a closed network, denialof-service attacks from single or distributed sources, among
other common hacking techniques, are restricted. Allowing access to Webcat only on campus was a precautionary measure that allowed Dr. Koutavas to limit site visitors to the software installed on college machines, or on devices connected to TCD wifi. A connected device would relay the college username of someone, should they launch an attack, to ISS. In the open, Webcat could have been bombarded with visits from multiple computers, running programmes specializing in purposely repetitious tasks. If an attack succeeded and revealed site infrastructure or student information, the perpetrator would likely be untraceable, as hackers often use IP rerouting software and web browsers tailored for anonymity – none of which are installed on college computers. Investigation Trinity News understands that the third-year computer science student behind the webpage was contacted by SCSS shortly after it had been discovered. Gerry O’Brien, the SCSS systems manager, confirmed in a statement to Trinity News that the breach was the action of a single student and that access to the site was blocked at 11:45pm on November 30th, three hours after Dr. Koutavas contacted SCSS administration.
“
In opening the service to the outer network, zachd.netsoc.ie exposed Webcat to potentially malicious visitors.
E-mail and e-commerce services – like the ones Trinity and other universities use – trust the strength of their security on the public web. As Dr. Koutavas and SCSS administration have not been able to, or have chosen not to, establish the necessary security precautions without limiting access to Webcat, students unable to access services like VPN are required to submit digital assignments on campus. In a statement to Trinity News, Netsoc stated, “[Our] system administrators responded by immediately disabling this website and analysing the source code to determine its function and potential security risk. It was concluded that this website did circumvent security restrictions imposed by SCSS on their network and, as such, was in breach of the Codes of Conduct for having websites hosted in College. Netsoc system administrators contacted [SCSS] to relay the conclusions of their analysis.” In 2011, a Trinity student received national media attention for allegedly compromising an FBI computer and HB Gary Inc. servers. However, the student implicated in this investigation made no attempt to conceal zachd. netsoc.ie and advertised the service to fellow students on at least one occasion.
Comment p.13
Inside
TN2 GOES BACKSTAGE WITH TINKERBELL AT THE PANTO; IRELAND’S LEADING CHOCOLATIERS SPILL THE COCOA BEANS; AND WE DELVE DEEP INTO INDEPENDENT DUBLIN BOOKSHOPS.
Dylan Lynch looks at the science behind birth control.
Will Earle A’Hern dissects Trinity’s culture of cuts.
Bláithín Sheil meets John McLean and Trinny the cat.
Features p.7
“[Webcat] was password protected and was not compromised,” O’Brien said. “The lecturer did not want his site available externally.” Netsoc, he told Trinity News, “immediately shut down the site that was providing the external access” and College’s security officer was informed of the breach. “All potential security matters are taken seriously by the School and thoroughly investigated,” he added, saying that the School “are happy with the co-operation which [it has] received from NetSoc.”
SciTech p.19
Alicia Lloyd talks to Stephanie Roche about that goal.
Sport p. 24